ISE: Authentication vs Posturing - log coorelation?

Similar Messages

• Cisco ISE (1.3) Posture and re-authentication

  Hello,
  With posture and re-authentication, during the re-authentication the posture status swithes to pending. This results in a redirect to client provisioning and a temperorly but unwanted state with no access to network resources.
  Is there a way to work around this?
  Regards,
  Dennis

   24423  ISE has not been able to confirm previous successful machine authentication  
  Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
  first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
  log off and on  or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. 

• ISE authentication fail during windows re-logon

  Background:
  Deployed a Cisco ISE 1.1.2. that is used to authenticate and posture validate for wired users, attached to Cisco IP Phones. Backend database is Microsoft AD.
  Problem:
  At the first time both, users and IP Phones, pass authentication and posture validation steps successfully. When the user logs off from windows, the log off is done whithout any problem, and I can see it switch.
  The problem takes place when the user try to log on again. The ise does not match the configured authenticion rules as in the first time, and put the user directly to default "DenyAccess" policy (rule).
  Anyone out there experienced something similar or have any ideas on why this is happening?
  Thanks.

  Hi
  Possible Causes
  • This could be either a MAB or 802.1X authentication issue.
  • The authorization profile could be missing the Cisco av-pair=”device-traffic-class=voice” attribute. As a result, the switch does not recognize the traffic on the voice VLAN.
  • The administrator did not add the endpoint as static identity, or did not allow an unregistered endpoint to pass. create a policy rule to (“Continue/Continue/Continue” upon failure).
  Resolution
  • Verify that the Authorization Policy is framed properly for groups and conditions, and check to see whether the IP phone is profiled as an “IP phone”or as a “Cisco-device.”
  • Verify the switch port configuration for multidomain and voice VLAN configuration.
  • Add the continue/continue/continue to allow the endpoint to pass:
  Choose Policy > Policy Elements > Results > Authentication > Allowed
  Protocols to create a Protocol Policy. MAC authentications use PAP/ASCII and EAP-MD5 protocols. Enable the following MAB Protocols settings:
  – Process Host Lookup
  – PAP/ASCII
  – Detect PAP as Host Lookup
  – EAP-MD5
  – Detect EAP-MD5 as Host Lookup
  • From the main menu, choose Policy > Authentication.
  • Change the authentication method from Simple to Rule-Based
  • Use the action icon to create new Authentication Method entries for MAB:
  – Name: MAB
  – Condition: IF MAB RADIUS:Service-Type == Call Check
  – Protocols: allow protocols MAB_Protocols and use
  – Identity Source: Internal
  – Hosts: Continue/Continue/Continue

• Can I use ISE IPN without posture for VPN with Base license only?

  I'm looking at ISE licensing, and both Base and Advanced licenses have VPN listed. I could not find any document that provides guideline for VPN implementation using ISE Base license only.
  1. Can I use ISE IPN (Inline Posture Node) functionality without posture assessment with ISE Base license only? (I know it has to be ISE hardware appliance, and I know that Posture assessment requires ISE Advanced license.)
  2. Do I have to use IPN for VPN deployment using ISE as the Radius server?
  3. If I do not have to use IPN for VPN, can I use ISE for Authentication and Authorization in the same way as I use ACS?
  Thanks,
  Val Rodionov

  Val,
  There is no need to consider IPN if you are not using posturing. You can use ISE much like ACS for radius authentication for vpn users.
  If posturing is down the road and your hope is to have an architecture in place and license later, then I am sure that you can use the ipn with base licensing, however I would strongle recommend working with the PDI (for partners) for help and confirmation.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• ISE post compliant posture assessment URL redirection

  G'day All,
  Is anyone aware if it is possible for ISE to push a URL redirection to user devices once they have passed the posture assessment?
  I am deploying a wireless BYOD ise deployment with AD auth and posture assessment, and we are hoping to find an easy way to push the compliant users to a new URL once they have passed posture.
  Thanks gang.
  Cheers,
  James.               

  It is not possible to redirect user after authentication and posturing to a specific URL. because ISE does not support this feature till now.
  I think  URL redirection can be done in web authentication if used in case of employee.
  Navigate to Policy > Policy Elements > Results > Authorization and then select Authorization Profiles
  Step 18 Select Add to create a new Authorization Profile for Central Web Authentication:
  Name
  Central_Web_Auth
  Description
  (optional)
  Access-Type
  ACCESS_ACCEPT
  DACL   Name
  CENTRAL_WEB_AUTH
  Centralized   Web Authentication
  ACL:
  ACL-WEBAUTH-REDIRECT
                                                            Redirect : Default
  “ACL-WEBAUTH-REDIRECT” is  configured on  switch  which determines to which destination it will redirect 

• ISE 1.2 - Posture Detail Assessment - enforcement audit mode report not show status for non-compliant

  ISE 1.2 - Posture Detail Assessment - enforcement audit mode report not show status for non-compliant.
  - For old version 1.1.4 it can be reported for non-compliant, How can I generate report for this? 
  Thanks
  Kosin Usuwanthim

  It used to be in there (id 226635 is the last one with it); should I clean it up a bit and put it back with a bit more of a disclaimer?

• ISE 1.2 Posture Assessment with AnyConnect Client

  Hi Experts,
  I need clarity for posture assessment with AnyConnect client. I understood that we had traditional NAC agent with ISE 1.1.
  Since new Anyconnect version 4 has come which is used for ISE 1.3 posture assessment however I am not sure if I can use Anyconnect 4 with ISE 1.2 ?  Can you please put light on this ?
  if not , do I need to upgrade to ISE 1.3 ? what is the process to upgrade to ISE 1.3 ?
  Thanks in advance

  ISE can provision clients with agent and configure agent profiles.You have Client-provisioning policies that enable users to download and install resources on client devices.(Windows and Mac OS X NAC Agents, Cisco NAC Web Agent.

• Cisco ISE authentication failed because client reject certificate

  Hi Experts,
  I am a newbie in ISE and having problem in my first step in authentication. Please help.
  I am trying to deploy a standalone Cisco ISE 1.1.2 with WLC using 802.1x authentication. The user authentication configured to be checked to ISE's internal user database for early deployment. But when the user try to authenticate, they failed with error message in ISE :
  Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
  I've generate a certificate for ISE using Windows Server CA and replace ISE's self-signed certificate with the new certificate but authentication still failed with the same error message. Must I generate a certificate for WLC also? Please help me in solving this problem.
  Regards,
  Ratna

  Certificate-Based User Authentication via Supplicant Failing
  Symptoms or
  Issue
  User authentication is failing on the client machine, and the user is receiving a
  “RADIUS Access-Reject” form of message.
  Conditions (This issue occurs with authentication protocols that require certificate validation.)
  Possible Authentications report failure reasons:
  • “Authentication failed: 11514 Unexpectedly received empty TLS message;
  treating as a rejection by the client”
  • “Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because
  the client rejected the Cisco ISE local-certificate”
  Click the magnifying glass icon from Authentications to display the following output
  in the Authentication Report:
  • 12305 Prepared EAP-Request with another PEAP challenge
  • 11006 Returned RADIUS Access-Challenge
  • 11001 Received RADIUS Access-Request
  • 11018 RADIUS is reusing an existing session
  • 12304 Extracted EAP-Response containing PEAP challenge-response
  • 11514 Unexpectedly received empty TLS message; treating as a rejection by the
  client
  • 12512 Treat the unexpected TLS acknowledge message as a rejection from the
  client
  • 11504 Prepared EAP-Failure
  • 11003 Returned RADIUS Access-Reject
  • 11006 Returned RADIUS Access-Challenge
  • 11001 Received RADIUS Access-Request
  • 11018 RADIUS is re-using an existing session
  • 12104 Extracted EAP-Response containing EAP-FAST challenge-response
  • 12815 Extracted TLS Alert message
  • 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the
  Cisco ISE local-certificate
  • 11504 Prepared EAP-Failure
  • 11003 Returned RADIUS Access-Reject
  Note This is an indication that the client does not have or does not trust the Cisco
  ISE certificates.
  Possible Causes The supplicant or client machine is not accepting the certificate from Cisco ISE.
  The client machine is configured to validate the server certificate, but is not
  configured to trust the Cisco ISE certificate.
  Resolution The client machine must accept the Cisco ISE certificate to enable authentication.

• ISE 1.2 not logging failed authentications on guest portal (CWA)

  Hi there
  I think this is a bug but wanted to check, if someone knows a good reason why failed authentication attemps with non-existing user account are not logged on ISE 1.2 (CWA).
  The different cases:
  Case 1: existing user / wrong password -> logged
  Case 2: no user / any password -> logged
  Case 3: no user / no password -> logged
  Case 4: non-existing user / any password -> not logged
  In my opinion this is a critical case to be logged because this could be an indicator of a DoS attack or a password penetration test.
  Thanks in advance and best regards
  Dominic

  Hi vatullu
  thanks man, you helped me a lot.
  Regards
  Dominic

• ISE 1.2.1 logs full of Identity/Endpoint ID of 00:00:00:00:00:03, authentication failed

  After an upgrade to 1.2.1, I now see a lot of auth failed entries with an Identity/Endpoint ID of 00:00:00:00:00:03.
  I dont see this MAC on the switch port of the NAS where ISE reports it.
  Anybody know what this is and how to stop it from happening?
  thanks

  Answers are:
  Its a HP ESXi server.  2x Win7 VM PC's run on this machine, each with a dedicated NIC.
  I haven't, will shut the VM's and shut the ports and see what happens.
  The auth session shows the MAC, but the switch MAC table doesn't
  SW1-C3750X#show authentication sessions int gi 1/0/19
  Interface MAC Address Method Domain Status Fg Session ID
  Gi1/0/19 000c.2931.54f6 dot1x DATA Auth 0A0A01FE000000870EDF8C3B
  Gi1/0/19 0000.0000.0003 N/A UNKNOWN Unauth 0A0A01FE000000B219576F86
  SW1-C3750X#show mac address-table int gi 1/0/19
  Mac Address Table
  Vlan Mac Address Type Ports
  100 000c.2931.54f6 STATIC Gi1/0/19
  Thanks for replying.

• ISE 1.0 Posture and Client provisioning

  I've configured 802.1x with dynamic VLAN for users and MAB for phones - it works fine. Now I wanna to implement client provisioning and posture validation for users. After reading ISE user guide there are still several big questions:
  1. Is it possible to combine 802.1x and posture? (it was not recommended with NAC)
  2. How can I bind existing 802.1x authorization profile and posture policy?
  3. What is a switch configuration for client provisioning to work(redirect, quarantine zone, download NAC agent)?
  4. Do ISE posture and client provisioning have L2 virtual gateway, trusted and untrusted ports, as in NAC?

  With ISE you can perform 802.1x first and after that optionally you can perform posture. This is done with Radius, that's why it's really and completely out of band, and there's no such concept of trusted or untrusted port because the traffic is never inline.
  Still, with ISE you have another option of "inline Posture", in which there's trusted and untrusted ports. I guess that's for some specific cases in which you can't go out-of-band.
  On the other hand, so called "out-of-band" NAC was really always an inline solution, only after the user has authenticated and security policies have been verified then the user goes "out-of-band".

• Cisco ISE (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out)

  Hi,
  I have a setup ISE 1.1.1. Users are getting authenticate against AD. Everything is working fine except some users report disconnection. I see in the ISE that (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out). Users are using Windows 7 OS.
  Error is enclosed & here is the port configuration.
  Port Configuration.
  interface GigabitEthernet0/2
  switchport access vlan 120
  switchport mode access
  switchport voice vlan 121
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 120
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 60
  spanning-tree portfast
  ip dhcp snooping limit rate 30 interface GigabitEthernet0/2
  switchport access vlan 120
  switchport mode access
  switchport voice vlan 121
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 120
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 60
  spanning-tree portfast
  ip dhcp snooping limit rate 30
  Please help.

  The error message means that Active Directory server Reject the authentication attempt
  as for some reasons the user account got locked.I guess, You should ask your AD Team to check in the AD
  Event Logs why did the user account got locked.
  Under Even Viewers, You can find it out
  Regards
  Minakshi (Do rate the helpful posts)

• Cisco ISE (1.3) Posture without Client Provisioning

  Hello readers,
  Is it possible to set up Cisco ISE with posture without Client Provisioning?
  My customer deploys the NAC Agent via MS SCCM. We prefer a access accept + DACL during the pending state instead of redirecting to client provisioning. But the NAC Agent will only communicate when we redirect to client provisioning.
  Regards,
  Dennis

  With ISE you can perform 802.1x first and after that optionally you can perform posture. This is done with Radius, that's why it's really and completely out of band, and there's no such concept of trusted or untrusted port because the traffic is never inline.
  Still, with ISE you have another option of "inline Posture", in which there's trusted and untrusted ports. I guess that's for some specific cases in which you can't go out-of-band.
  On the other hand, so called "out-of-band" NAC was really always an inline solution, only after the user has authenticated and security policies have been verified then the user goes "out-of-band".

• ISE authentication

  HI All
  I hope someone is able to help with the following:
  We currently use ISE to authenticate domain users connecting to our corporate wifi. ISE checks Windows AD for the wireless policy. The issue is that once a machine connects to the wifi, it allows any user to connect regardless of whether that user is allowed access in a later policy.
  We would like to configure authorization so that it uses Computer and User authorization, ie only if the computer and users are in AD, can the user successfully authenticate.
  The problem with this config is that I can log onto a Corp laptop as a local user, and still get access to the Corporate Wifi.
  The reason being that the connection hits the first rule which allows computer access, and doesn't check that the user authentication.
  I'd therefore like to configure ISE so that it checks for computer and user authentication together, so that both parts need to be met before access is allowed.
  Regards Craig

  Hi Craig
  Authentication policies define the protocols that Cisco ISE should use to communicate with the network
  devices, and the identity sources that it should use for authentication. A policy is a set of conditions and
  a result. A policy condition consists of an operand (attribute), an operator (equal to, not equal to, greater
  than, and so on), and a value. Compound conditions are made up of one or more simple conditions that
  are connected by the AND or OR operator. At runtime, Cisco ISE evaluates the policy condition and then
  applies the result that you have defined based on whether the policy evaluation returns a true or a false
  value.
  Note: During policy condition evaluation, Cisco ISE compares an attribute with a value. It is possible to run
  into a situation where the attribute specified in the policy condition may not have a value assigned in the
  request. In such cases, if the operator that is used for comparison is “not equal to,” then the condition
  will evaluate to true. In all other cases, the condition will evaluate to false.

• ISE 1.2 Posture Update Issue

  In ISE 1.2 below message is showing when we do a web posture update either manual or automatic.
  "Remote address is not accessible. Please make sure update feed url, proxy address and proxy port are properly configured".
  It was working fine for long time and all of a sudden it stopped working
  and no changes have made on the network side.
  https://www.cisco.com/web/secure/pmbu/posture-update.xml is working in the browser.
  Few customers had reported the same. Boxes are installed with latest patch version 7.
  We can upload the updates through offline mode.

  I have experienced the same issue. Both the posture update feed URLs 
  1. https://www.cisco.com/web/secure/pmbu/posture-update.xml
  2. https://www.perfigo.com/ise/posture-update.xml
  give the same error, when the ISE boxes try to do the updates. But these URLs are accessible from outside.
  A TCP dump taken from a box shows as "Certificate unkown Alert " (when it tries to update) for the received certificate from the other end. Then the ISE box sends a (FIN,ACK) and terminates the session.
  The relevant pcap file is attached